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iim^ ^ safe aS>iI>:€ «i#»>fe ^^Si^ UIB^3 Ji^> ^l^^ig s a •^ss 
exible network security systea and ■ethod to perait trustful process} 

L^si -a^l 

H. l€- OJO|aS:t = S (Microsoft) AfoflA) ^S.^ ^>iJM (Windows XP) tH^^El 

CF : Interoet Connection Firewall)# A^l^fe S.^olJ[l. 

S 2fe ^5L^2i ^>:n|ofl-H M^S. ^^t\^ 4:«S«I<H7} ^}*«ffe SB. B 
o}o|ili(lP : Internet Protocol) ^7Wfe ^t|flloI>: Aol-^fe 

Sa^ ifl* HSa'S ^^rfcofl :»i^*>7l ^*>o| cl:t#iflo|s|^ oIE^ 

iof^fe £^013. 
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(Firewall)^ ifle^aaj Ajo|Sl ^2: ^;fl>j2f 22.o^ a| 

5c. !€■ nJolaSriiSB. (Microsoft) Atofl>M ^S.-?- ^>:3ll (Windows XP) tH^-rEl 
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*zafi| 'tfSJ^^ -sea 'l^aj^oicj. *gsi 

«^ sa^ ^-asj aMEi^«u. iMEisi^ 21 

Hl^"^ »3lS}^€- of5:«}^S (Outbound) ^«}^H 

oa 7H^* PC ^Sj^olI^M^ ol (Stealth) 7l^olaJjii ^z^, 

aeja. ojEl9!S) £^ eJlo]#on ^^3* ala 

^^Elofl>M >^1^si5a«# ^•?■oa^^ MiB^a ^^tioii ^S^sict. 

olEl^ ^S}^^ oy^^ ^^o| tH* ^^ofl^ ome> ^ 
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^m}7\ Zi^ ^o,£ «Q«to|. Host Sens Down'o|e(^ r^M^^ . 

«}^. « x^ul>:# :«fl§*J^ ^^E]ofl ojEiyi <g:g 'J^Sj^o) ^:^SJ^. o|Ei^f 
Eiyi olHj^S ezfl^^ nfl^oQ. oiE^y5 "a^o) 

8o«j ass S2ii«i# ^^^^ « >i 

'ytiyi "ssi^on satH^H^i -^nj i^. t^^^ 

^ttl. FTPCFile Transfer Protocol) . (Telnet) A|tH . P2P(Peer to 
er) HSa^. 5Sa^ . ofl^^ HSa^ #21 iJesi •ZJEl^i! :4i 
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^ :4iHEfijcH^oj ^7}t}jL 5UJ2.oi. o)e4«V dkH 

^nE?J)<H7} A}^*}^ BS.S.^ . oloimdP : laternet Protocol) 4^ 

5a7| nfl^oil «o]oQ :g^:j^o| ^iul^i?} 5tl^. 

^7m *2fl 7|^fil sa^*}7| ^•V $ ^^21 o|e)9! ^ 

^S- ^*:«}7} 0>y ^HJ A}.8.^+#£ ^Tfl ^^«> 7l^sj oiE|y5 
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pen/Close) ^^v}^ ^^1 ifle^s ^oMM ^A^l 

(Firewall) 1J4»^ ^^<HI^ *>j# HSa^otl cfl 

it§ 4^^*^ §««>^ ifl^ as 4^?*: 9! (Inbound) « ezfl 

085121 ^^^M ^71 5^ ^^ofl §^sJ<H 2i^^ <>l^^ 

o\^^ SiBo]^ ^71 §«^slcH 

i«K uiB^a A}o)orixi ^-asife ^SAfi} 31^^ ^^«j2.s<4. Mis?ia 

•3^^ ^^EIS) efl^ 1413^43 »3|2>^ (Firewall) # o]^t}^ Ml 

BS.^^ 5^ i^/^S-^-a (Open/Close) 4^#*J^ :«fl 1 
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^ 3 01 a>^B (Inbound) « M.^^ ^^S\ S:B7} ^ 

JLcf d >^7| ^ 1 ^7(1^. TCPrrransntssion Control Protocol) S 
4:?l!ol >M>HS ^*>ol E|^ai8ten)§ 4^<8«J n«. 

?J (Hooking)^ el^ 

d UDP(U8er Datajsru Protocol) § ©1^*^^ 5>Jo| ^ 

. db^ofl^i ^71 -ft^ as (User Mode)ollAl 

old}. Ho3§ ^ -^gs) ^ -a^lolloll 11^^ Aisie ^ 5U^ 

»l#«>fe tflH^a Ji^> 91 =L Acf >^>iim7ll ^ 
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S. 3# nlo|aS:SiBEAjofl^ «H.^i 

SOCernet llode)^) (User llode)£ M^o^^^^. 3.B<^M^ 

t:)H}o|:t He|o|iH (Device Driver)?^ ^§S|a. iHofl^fe 
S t>l#BJ?qoI>3 (Application)ol T^^^Cf. =l^Jl, iHoIlAj «>t 

(Socket)^] 71^ ^^oi AFD(afd.8y8). NDIS(Ul£^a B^o]^ ^t-i^o]^ : 
twork Driver laterface Specif icetioo) 9j TDI(^^ H^toliH o|e)^o|:^ : 
ensport Driver Interface) £. -T^'lj^C}. 

RB^M ^*ori ^m}^ afd.sysfe ^S.^2l ±^<^M 5LH 

:>(\^^ DLL(^^ ^}oJH^^S^ = Dynamic Link Library)©] usafd.dliaf 

TDI^ BS-S.^ >i^(Stack)£j >if?|on ^TflSj^ Tj'g 5LS olti«lol>^§ ;8o|av 
. NDIS^ NIC Clii>o)>: HSto1»{ (Network Interface Cerd Device Driver)## ^ 



32-n 



(1) LSP(Win80ck Layered Service Provider) : o| Dto]3S:ii£BA(oQA| 
^*\^ ^^2.S.M, QOSlQuelity Of Service), URL 9! i^jojEj :t (Data 
rea«)Sl ^^SjoO ?lfol A}#S|^ D}o|aS4:nH tge^yjoa Slh ^i^H^ 

I (Service Provider Interface)^ ^l^V^S. . 

(2) ^i-?-^ 2000 sa^J ^El^ oiEl«)oI>: (Windows 2000 Packet Filtering 
terface) : 2000€^ iSSl HSa^o) oJo|n1 9! SB ^ 
^ SUH^ ^E! c):£:3^E| (Filter Descrypter)^ ^»\t\ 

^olct. 

(3) Vtnaock Dll : D>ol3£:&B£ Winsock DLL# ») 

DLLS 3.m\o^ t}^ 7]*i}o_^ «VC+. 

(4) :?^^cJ (Global Function Hooking) : ?i ^JE (Connect) , 
isten). -SgBOend). elA]H(Recv). ^S^(Sendto). elAl«. (Recvf roa) 2} ^ 

^!£^i2l :?:ig SLS21 o^#B^^11ol>4o| 3.E,S\ E.E» 

A)#«}fe DeviceloControl 0 J?^^3*}^ »3f^# 
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(1) £S ^EKKeroel Mode Socket Filter) : S.B.o^M 
±^S\ XI^Sl DLLOI Mafd.dliol HH afd.sysfif 

(2) TDI S2)ol»i : tcpip.sys SeJol »l (WDevi cefRowIp. iDeviceiUdp. 
eviceWTcp, WDeviceflp. iDevicefMULTICAST)ofl 2\t}o\ 'i^^ i^«}oI:±olI 
AttackDeviceO API§ ^Ei SBtol»HS •J^'flom. . 
pip.sys^ 2. (Driver Object) oQ Ct>iSg«l E)]o|$ (Dispatch 

(3) NDIS ly(IiiterMediate) : afola^dkHBAfoQ^H ^ 

^"a^-S^M. TCP/IPS^ se}oiii|sj NIC He}oHH 

<H ^S}^^. NAT (Network Address Translation) ^# 7H^*J^ U^o|Ct. 

(4) NDIS se}oliH : NDIS etol«£^^^£^ 

NdisRegisterProtocol , NdisDeregtsterProtocol . NdisOpenAdapter , 
isCloseAdapter S NdisSend^^ ^^-idSJ B.^o\ 

^ NdisRegisterProtocol >>h-8-«}o1 ef^^ NdisProtocolHandle^ 

TCP/IPS^ 7l#fi| ^3.^ NDISa^ 

^ HB}o|i*| gi NIC HEfoliHSi i/o§ ^^Jt}^ 7l«}os «>cf. 
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^ ^^oil>M "i^aj*^^ SLEi ±^ ^Ei. TDI 

E| HEJolaJ. KDIS IH S2»oHH. KDIS S2»o|>H W^^M 4* 5tli 

. ^"i^^iSfe NDIS III He*oHH Hfe NDIS SeJo|iHoa.H ^^«H:}, 

m^€r 01 tfloI^<H] MUSIC}. oin}o c ojEiyi EjflSj^ 

^-?-<Hl^> ^«>^H B2fl51# om«> :g-^op^ ^^«vc}. 

EEiUqoj «rj^s| acflS 

S<q -^^sla. S28«|s| Sl^v}^ 2tJL. «^ 

of ^>.oj ^tgo) ^^if^iS 4*^51^ e^S.^ ^3.^ ^^^2.S.^. ojHf 

sa^ «s>flii© ■fr'aaj=! Mis^-ia a«j} ^i^tja 5! a n^^aoii 
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*^nStt na, Winsock *5g§ $«(ot e|A ^^^IcJ. SE^ nafd.dlloa^ 

00 ^^>o| ^^«»B3. 5Efe. o|oiA| H^2| ^S^^ AFM-H ojofl 
^^o| ^^*»^. JEfe. TDloD ^I^SlJi TDloaJH^ oloQ 

iSetEveiitO# $d}o1 TDI.EVENT_C0NNEa7f S.^^ ^. ^^t}^^ 

aelJl. «lolEla'a =SS©(UDP : User Data«raB Protocol)£l 

. r&^oflAl l>a9!# ^71 recvfroB^ . S.B.<^M Vinsock ^9^^ 

»JI^# -S^l iS§ ^*«}c}. i^. SLSofl^ o]o\M « 

AFIM)-M2| oiAVol 5U§ nil. TDIoflAl oH ^#«>fe TdtSetEveat ()€ * 

TDI_EVENT_RECEIVE_DATAGRAMo| "g^© nJI. itfl^l^ >M»H XHl^ ^"S" 

om as ^J-*!^^ -S-^ £HoJl>H Winsock ^e^oi. S^. ^i'^ i 

ofl>M ^"i S.E. ±^ ^E1. TDI SSfoliH^ ^oflAj >Ha1 SB 

A. HS£© ^AfrCP. UDP 91 OPEN/CLOSE 4^**^^ 

fif Dj^f7f^S. :S;5C ^E|. TDI ^Ej BB}olH|, nDIS IM HBfol*H. ^S. 

1 2000 ^EJ :^t3l HEloltH. NDIS ^El H2}oliHofl>H ^ 
£.Sfe NDIS !U H2*o|Bl NDIS SB^oliH# ^t}<^ -S^^Cf. 
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* »sa^ ifl^ *i# ^^:ioQ Cj>:@«10|^^ 

^ MD5(tIes8a8e Digest alsoritha 5. dQaM "^JlHj^ 5) dt|4] 

S ifl^ »l* HSU'S ^^Sfdkofl ^^•Jcf. 

l§. HSa^ 91 HSa'a MD5 68412^ n<U ^ol 

fi 1] 
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H- HSa'a (650)00 §«s|oi Sl^ HSa^^^ «^?.H^. 

20) t i^t^ AjiH 2te§ iJE 7l^:t(660)oa ^^^^Ic*. 

30)o.s 885!^ o| S8?I€^ ^om. aa^i^. 2S7^ 

5ttJ2.^. ^71 *2^^(630)§ ojqs^a. ^7] oie|9! 
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[s. zjoo s.Aisi<H 5Usoi. *i# 3lr ^^it^ Hsa'a ^s. 

:±:^ S701oliAi. :7JaI ^^.i^-Ei OPEN/CLOSE 5J 

#tTCP. UDP §) >8a§ ^. STOMl^. ^x|^oflAH >M»H 

«35<82| HSa^ol ifl^ BSn^ §^s|<H SU^ «Sa'a«i:M 

t>«. -S^l S703oIlA| olaj ^o) ifle^a^ A^#*>^ HS>fl>;2I B 

IJ'S^ 5S ^Al-^olI>M PsGetCurrentProcessIdO 

UD5 ^-Ma^ ol MD5 6fl4ia2f HSU^ ^ajl ^^S\ HS 

^o) ei* BSa^ ^^:tofl si^;,! ol^§ ^o]z}. 

±^ S7O3O0.H2I ^af. §^^S|o| ofulftf^ ^^^^ 

2.^. rt^ S705oflJH. 4^#«f OPEN/CLOSE ^JLS >H»H aS^l OPEN/CLOSE o| 
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S70Soa^fi| ^2j. fie?} ofulng, S706 91 

^ S707oOAi. HSU^ ^lall ^S. 9J >I»H Ml^ »l* 

aBlJl. SSOSoflA^. ^7] ^^«} aest vfl^ 

Bfl^# »i^2}^J°S ^^*U. ^^S\0\ SiO^. d]-g.Bj)0} ^ iEO) 
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i'^^ ^^«}^^ ofMe} oa^«»i5|^ ^o|c^. o| ^go| ^ojsj 

^gsi A3*] 

o|^3f ^ ^^oq oiEiys «s}^ofl ^^o] «|^^ Hsa^ 

-flTn ^i^si sz^ns a 

7} 5a ct. 
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uis^sia A|o|or)Ai *-t!si^ ^Afij -a^e^a^, »4Is^3<hi «i 

^ tila^a S.Sit\^ (Firewall) 

asoll cfle> ^7] as *{.cfo| 

B Ml^ as -J^^: 9i 

^«>^S (Inbound)^ Sifl^ jfl^lSi XS?} >»7| 0)^ aS 

# a?J«M ojj^oi^ ^# -^^ o.^ ej^ >ys]^} ^ si^ as>MJ:±:^ 
^ 1 *oii 
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W ff\^ HSa'a ^^o| ^^if>o\ ^^t\^ HSa^ ^S.^ BS. 
^ ot&. ££3^ ^£ ^ MDSOlessBae Digest algoritha 5. oQ^ 

swi-i^ ais?ia ^1:^^. 

U^^f 3] 

^ 1 sa^iAi. 

^71 *l-8- ^iiH 50 

<4|E4q3 AMo«>«H ^S.S\ 3:^^ Ule^qaofl ^ 

Jfl 1 Ef^: 
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^ 3 y?!): 

^«J^S (Inbound)^ ezflsl afl^ioj ^e?^ >J^7l 3 ^3floflA| §-^S| 

^ asa'aofl ^*«^^ ^ 6 ^30: 

§ Si^t)^ o|f.6>^ MjE-q^ Ao> 

51 

^ 4 tJofl 81<H>H. 

TCPdransBission Control Protocol) 1^ oj^o}^ -S-^yy ^ -r- . ^r^Qol >MtHS 

^mol e1^aisten)# ofl. ^^J (Hooking)# ^fj2.S>J^ 

^^is ijaj^^ oi^e^^ MlB^a a?} 
;4 4 ^<H1 5aol>H. 
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r 

UDPOJser Datftgru Protocol)5 ^-tJ^il ±^^M S??! 

«M e^i*^ as (User llode)o|I>l :9:s9# « iS^ . A|iH 5 

S ?!# ^^is o\^t\^ iflje^a i^^ ^ti. 

^71 :^ 6 ^Tfl^. 

4§ ^^is ^a^^^ o|*^^fe tqe^a 

^7] ^ 2 ^?flolI^ ^^t}^ ^ife^ Hsa^ ©is. nsa 

9] 

^ 4 ijofl sao^Ai. 
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^ 3 eJfloa^ -^^SM HSa'a ^Xl ^s. 

s£§ 9i as ?!# me^ia 

loj 

^ 1 ct?q: 
3 =f3fl: 

^Uf^-H (Inbound)^ Sfl^2| SlB7\ -^7] ^ 3 'E^JlloIl^ 

^ ^ 5 "e^a : 5! 



32-25 



§ ^^2.s. o\^fs}^ Mie^3 

«i 4* Slfe y^ElS ^ Sl^ 71^ i4I>0. 
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